SocketDev · lelia · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
@@ -26,4 +26,4 @@
 - [ ] `socket_basics/version.py` updated to new version
 - [ ] `socket_basics/__init__.py` updated to the same version
 - [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:<new-version>`
-- [ ] `CHANGELOG.md` `[Unreleased]` section reviewed
+- [ ] `CHANGELOG.md` updated with human-authored release notes for this version
@@ -7,11 +7,11 @@ name: _docker-pipeline (reusable)
 #
 # Two modes:
 #   push: false  →  build + smoke test + integration test (main image only)
-#   push: true   →  above + push to GHCR/Docker Hub + update floating v-tag
+#   push: true   →  above + push exact version tags to GHCR/Docker Hub
 #
 # Permissions required from the calling workflow:
 #   push: false  →  contents: read
-#   push: true   →  contents: write, packages: write
+#   push: true   →  contents: read, packages: write
 
 on:
   workflow_call:
@@ -41,7 +41,7 @@ on:
       tag_push:
         description: >
           True when the caller was triggered by a tag push (e.g. v2.0.0).
-          Controls the floating major-version tag update and the 'latest' Docker tag.
+          Controls semver metadata-action tagging for exact release tags.
           Passed explicitly rather than relying on github.ref_type inside the callee,
           since context propagation in reusable workflows can be ambiguous.
         type: boolean

@@ -80,64 +80,26 @@ jobs:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
-  # ── Job 3: Create GitHub release + update CHANGELOG ────────────────────────
+  # ── Job 3: Create GitHub release ───────────────────────────────────────────
   # Runs once after the image is successfully pushed (not for workflow_dispatch
   # re-publishes — those don't create new releases).
-  # Generates categorised release notes from merged PR labels (.github/release.yml),
-  # creates the GitHub Release, then commits the CHANGELOG update back to main.
+  # Generates categorised release notes from merged PR labels (.github/release.yml).
+  # CHANGELOG updates are intentionally human-authored in the release PR so this
+  # workflow never needs to push commits to the protected default branch.
   create-release:
     needs: [resolve-version, build-test-push]
     if: github.ref_type == 'tag'
     permissions:
-      contents: write   # create GitHub release + commit CHANGELOG back to main
+      contents: write   # create GitHub release
     runs-on: ubuntu-latest
-    env:
-      VERSION: ${{ needs.resolve-version.outputs.version }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: main
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: 🤖 Generate socket-release-bot token
-        id: bot
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        with:
-          app-id: ${{ secrets.GH_BOT_APP_ID }}
-          private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }}
-          owner: SocketDev
-          repositories: socket-basics
-
       - name: 📝 Create GitHub release with auto-generated notes
         env:
-          GH_TOKEN: ${{ steps.bot.outputs.token }}
+          GH_TOKEN: ${{ github.token }}
           REF_NAME: ${{ github.ref_name }}
         run: |
           gh release create "$REF_NAME" \
             --title "$REF_NAME" \
             --generate-notes \
             --verify-tag \
           || echo "Release already exists (re-run scenario) — skipping creation"
-
-      - name: 📋 Update CHANGELOG.md
-        env:
-          GH_TOKEN: ${{ steps.bot.outputs.token }}
-          REF_NAME: ${{ github.ref_name }}
-        run: |
-          NOTES=$(gh release view "$REF_NAME" --json body --jq .body)
-          DATE=$(date +%Y-%m-%d)
-          echo "$NOTES" | python scripts/update_changelog.py \
-            --version "$VERSION" \
-            --date "$DATE"
-
-      - name: 🔀 Commit CHANGELOG back to main
-        env:
-          BOT_TOKEN: ${{ steps.bot.outputs.token }}
-        run: |
-          git config user.name "socket-release-bot[bot]"
-          git config user.email "socket-release-bot[bot]@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/SocketDev/socket-basics.git"
-          git add CHANGELOG.md
-          git diff --cached --quiet || git commit -m "chore: release ${github.ref_name} — update CHANGELOG [skip ci]"
-          git push origin HEAD:main
@@ -8,6 +8,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [2.0.3] - 2026-04-24
+
+<!-- Release notes generated using configuration in .github/release.yml at main -->
+
+## What's Changed
+### 🔧 Other Changes
+* fix: Harden GHA workflows by @reberhardt7 in https://github.com/SocketDev/socket-basics/pull/58
+* docs: cleanup docs guidance, additional workflow hardening by @lelia in https://github.com/SocketDev/socket-basics/pull/60
+* fix(rules): improve precision of 4 high-FP dotnet opengrep rules by @dc-larsen in https://github.com/SocketDev/socket-basics/pull/63
+
+## New Contributors
+* @reberhardt7 made their first contribution in https://github.com/SocketDev/socket-basics/pull/58
+
+**Full Changelog**: https://github.com/SocketDev/socket-basics/compare/v2.0.2...v2.0.3
+
 ## [2.0.2] - 2026-03-23
 
 <!-- Release notes generated using configuration in .github/release.yml at v2.0.2 -->

@@ -35,7 +35,7 @@ jobs:
       - name: Run Socket Basics
         # Pin to a commit SHA for supply-chain safety.
         # Dependabot will keep this up to date automatically — see docs/github-action.md.
-        uses: SocketDev/socket-basics@<sha>  # v2.0.2
+        uses: SocketDev/socket-basics@<sha>  # v2.0.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -168,10 +168,10 @@ For GitHub Actions, see the [Quick Start](#-quick-start---github-actions) above
 
 ```bash
 # Pull the pre-built image (recommended — no build step required)
-docker pull ghcr.io/socketdev/socket-basics:2.0.2
+docker pull ghcr.io/socketdev/socket-basics:2.0.3
 
 # Run scan
-docker run --rm -v "$PWD:/workspace" ghcr.io/socketdev/socket-basics:2.0.2 \
+docker run --rm -v "$PWD:/workspace" ghcr.io/socketdev/socket-basics:2.0.3 \
   --workspace /workspace \
   --python-sast-enabled \
   --secret-scanning-enabled \

@@ -4,7 +4,7 @@ author: "Socket"
 
 runs:
   using: "docker"
-  image: "docker://ghcr.io/socketdev/socket-basics:2.0.2"
+  image: "docker://ghcr.io/socketdev/socket-basics:2.0.3"
   env:
     # Core GitHub variables (these are automatically available, but we explicitly pass GITHUB_TOKEN)
     GITHUB_TOKEN: ${{ inputs.github_token }}